+ return error;
+}
-commit 29fb087c5df8bb8ac354ab58d33c43e68270123b
-Author: John Johansen <john.johansen@canonical.com>
-Date: Wed Aug 31 21:10:06 2016 -0700
-
- apparmor: fix change_hat not finding hat after policy replacement
-
- After a policy replacement, the task cred may be out of date and need
- to be updated. However change_hat is using the stale profiles from
- the out of date cred resulting in either: a stale profile being applied
- or, incorrect failure when searching for a hat profile as it has been
- migrated to the new parent profile.
-
- Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
- Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
-index f2a83b4..dbd68f2 100644
---- a/security/apparmor/domain.c
-+++ b/security/apparmor/domain.c
-@@ -621,8 +621,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
- /* released below */
- cred = get_current_cred();
- cxt = cred_cxt(cred);
-- profile = aa_cred_profile(cred);
-- previous_profile = cxt->previous;
-+ profile = aa_get_newest_profile(aa_cred_profile(cred));
-+ previous_profile = aa_get_newest_profile(cxt->previous);
-
- if (unconfined(profile)) {
- info = "unconfined";
-@@ -718,6 +718,8 @@ audit:
- out:
- aa_put_profile(hat);
- kfree(name);
-+ aa_put_profile(profile);
-+ aa_put_profile(previous_profile);
- put_cred(cred);
-
- return error;